What does "npm audit fix" exactly do?
Npmpackage.jsonNpm AuditNpm Problem Overview
npm audit fix
is intended to automatically upgrade / fix vulnerabilities in npm packages. However, I haven't found out what it exactly does to fix those vulnerabilities.
I assumed that npm audit fix
would upgrade dependencies and dependencies' dependencies to the latest versions that are allowed by the semver-definitions of the packages – effectively the same as rm package-lock.json; npm install
. However npm audit fix
still performs a lot of changes after lock file removal + reinstall.
What exactly does npm audit fix
do? Does it for example install versions of dependencies newer than those allowed by the corresponding package.json
(but still semver-compatible)?
Npm Solutions
Solution 1 - Npm
From NPM's site on their audit command:
> npm audit fix
runs a full-fledged npm install
under the hood
And it seems that an audit fix only does semver-compatible upgrades by default. Listed earlier in the document:
> Have audit fix install semver-major updates to toplevel dependencies, not just semver-compatible ones: > > $ npm audit fix --force
As for the lock file, it is regenerated each time you run a command that changes package.json
. There is more information about that in an answer here as well as in the official documentation.
Solution 2 - Npm
In my understanding is not only "upgrading" but sometimes also downgrading in order to install the stable version that fix the issue, sometimes those issues comes in newer versions that maybe have introduced bugs.
E.g in my case for example npm install have upgrade react-script to 5.0.0 that has some issue and after have run:
npm audit fix --force
The force flag does : To address all issues (including breaking changes), run: npm audit fix --force
it installed the 3.0.1 with following message:
npm WARN audit Updating react-scripts to 3.0.1,which is a SemVer major change.
So it does the upgrade to the stable version of that package that fix the issue.
On top, though docs state "is running npm install under the hood" but not in the sense of installing newest version of a dependency, but could be useful also to check what happens with npm ci https://stackoverflow.com/questions/52499617/what-is-the-difference-between-npm-install-and-npm-ci